I read a comment about malformed tags being used for XSS attacks. How am I supposed to sanitize against these. If I use a library like HTMLPurifier, does it take of this as part of its work? or is this an independent thing? I don't hear people talking about it much.
Part of HTML Purifier's design philosophy is to only output standards compliant HTML, in order to minimize variance in browser interpretation. Thus, HTML Purifier will never output malformed tags.